Exam 300-210 topic 1 question 377 discussion

The answer is not D. It is A...

But A seems better (sorry for spamming) Syntax for Correlation Host Profile Qualifications To constrain a correlation rule based on the host profile of a host involved in the event, add a host profile qualification. You cannot add a host profile qualification to a correlation rule that triggers on a malware event, traffic profile change, or on the detection of a new IP host.

Hmm On 6.6 version things have changed so i ve changed my mind . D seems correct Correlation and Multitenancy In a multidomain deployment, you can create correlation policies at any domain level, using whatever rules, white lists, and responses are available at that level. Higher-level domain administrators can perform correlation within or across domains: Constraining a correlation rule by domain matches events reported by that domain's descendants. Higher-level domain administrators can create compliance white lists that evaluate hosts across domains. You can target different subnets in different domains in the same white list.

D is wrong Managing Correlation Policies Changes made to active correlation policies take effect immediately. When you activate a correlation policy, the system immediately begins processing events and triggering responses. Note that the system does not generate white list events for non-compliant hosts on its initial, post-activation evaluation. In a multidomain deployment, the system displays correlation policies created in the current domain, which you can edit. It also displays selected correlation policies from ancestor domains, which you cannot edit. To view and edit correlation policies created in a lower domain, switch to that domain. Note The system does not display configurations from ancestor domains if the configurations expose information about unrelated domains, including names, managed devices, and so on.